| Okay, let me try to translate that legalese for you (I'm not a lawyer BTW but I regularly deal with GDRP and data protection issues): "In a manner" means that you're absolutely free to use whichever means (i.e. technologies, systems, ...) you want to do your data processing with, as long as you make sure you keep the data secure. "Appropriate security" is indeed a very vague term, but it is vague on purpose: As you probably know firsthand, technologies change rapidly these days, and what's considered "state of the art" today might be a "legacy system" in five years. Therefore, laws often do leave the interpretation of terms like the "appropriateness" above open to interpretation by the executive branch. In case of the GDPR, this means that at the highest level it will be the European Court that will decide if a given measure/technology was appropriate or not. In practice we can't (and do not want to) fight out each definition in court of course, so in addition to that last instance the member countries try to release guidelines that should help companies to judge what measures are appropriate. Unfortunately, there's not always consensus between individual countries here so you will have to find a compromise or look at the guidelines of the country you're based in (as that's where complaints about your company will be handled in the first instance). For Germany, the BSI (Bundesamt für die Sicherheit in der Informationstechnik) would be the relevant instance to look for guidance when it comes to IT security best practices, and the standard that they define will (usually) be followed by the federral data protection agencies. As a final remark, what helped me a lot in understanding the intent behind the law is to read the "motivations" section, which is where the lawmakers write down the actual intent they had when creating a given law. These are used by courts to interpret laws in case of ambiguity and can (in my opinion) greatly help to gain a better understanding of some of the more cryptic articles. Here's the link: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A... If you have any specific questions about appropriate measures or the GDPR please feel free to reach out to me (contact info in my profile), I'm always eager to learn about your problems and will be glad to give you free advice wherever I can. |